On Sun, 2013-04-14 at 00:27 +0530, Lakshmipathi.G wrote: > Hi - > > I'm trying to allow guest_u user to execute 'screen' command. When > guest_u executes screen ,access gets denied, > but I can't find any logs under /var/log/audit/audit.log . If SElinux > disabled, guest_u can properly execute screen command. > > # grep screen /var/log/audit/audit.log | audit2allow -M screen > Nothing to do > > How to provide screen command access to guest_u in a safe manner ? > Such a policy open up any other security issues? > Thanks for any pointers/help. > guest-t is supposed to be a minimal ssh login user and so by default the use of screen is no supported. To allow should be easy: mkdir myguest; cd myguest cat > myguest.te << EOF policy_module(myguest, 1.0.0) optional_policy(` gen_require(` type guest_t; role guest_r; ') screen_role_template(guest, guest_r, guest_t) ') EOF make -f /usr/share/selinux/devel/Makefile myguest.pp sudo semodule -i myguest.pp This will allow guest_t to run screen in the guest_screen_t domain. You will probably want to relogin and run restorecon -R -v -F ~/.screenrc -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
